Getting redirected after completing search - click a link, get redirected

Firstly try clearing your browser files, history and cookies under
Tools --> internen options --> general tab

Does the same thing happen if you use FireFox
www.mozilla.org

try resetting and clearing IE
http://support.gateway.com/s/software/microsof/sHARED/xpsp2/7513002su68.shtml

you could try repairing IE
http://www.theeldergeek.com/repair_ie6.htm

Thank you both for your rapid responses -

War1: I removed the offending entry in HJT but still encounter the same problem.

RedKelvin: Browser history, cookies and temp files are gone - same problem.  I reset everything for IE but again, same problem.  I tried repairing IE and (surprise) still the same problem.

However, the problem does not occur in Firefox.

I've never seen anything like this.  I've dealt with spyware, malware, adware, hijackers... they've always left tracks you could follow.  This has me bewildered.  Any more ideas?

Thanks-
KAT

Did the file that you deleted in HijackThis return?

Look in the HOSTS File.   Do a search for HOSTS file and open it with Notepad.  See if there is anything in there doing the redirecting.  If the HOSTS file looks blank, scroll down to see the entries. HOSTS file is a hidden file, so you have to unhide hidden files.

You could use msconfig to disable all startup items, and non windows services, restart and see if you have the issue, if it is gone, you can add things back a few at a time until the problem re-presents itself

RedKelvin: I've been there - as a gamer I always make sure there's nothing running that shouldn't be.  I pride myself in keeping a fast booting machine and that requires me to be sure there isn't anything starting that I don't want.  That includes services (of which there is a lexmark service and a securerom ua7 service).  I know the problem is not repairable through msconfig.  Thanks anyway.  


war1: The file did not reappear.  I found several HOSTS files - which all say they are SAMPLES of hosts files.  The only file without an extension (the others had .bho or .backup) listed the following:

 Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
127.0.0.1  www.igetnet.com
127.0.0.1  code.ignphrases.com
127.0.0.1  clear-search.com
127.0.0.1  r1.clrsch.com
127.0.0.1  sds.clrsch.com
127.0.0.1  status.clrsch.com
127.0.0.1  www.clrsch.com
127.0.0.1  clr-sch.com
127.0.0.1  sds-qckads.com
127.0.0.1  status.qckads.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

Could this be the cause of my problem?  If so, how and why please?  I need to understand this in case I come across it in the future.

Thanks again-
KAT

KAT, the files inserted at the bottom were done by Spybot Search and destroy.  The are used to block mailware websites.

So your HijackThis log is clean. Hosts file is clean.  Run a scan with Rootkit Revealer, and post the log, if it is not too long. This utility shows files hidden from Windows API

http://www.systeminternals.com/utilities/rootkitrevealer.html

Would you give an example of a Google or Yahoo search where you got redirected?  I know that a few links on Google search gets redirected to shopping sites.  But those problems are due to Google links, not one's computer.

Hello :)

I'm under the impression that the HOSTS entries have in fact been added by Look2Me, although your HJT log shows no problems, let alone anything related to L2M. I still however recommend running http://www.downloads.subratam.org/VX2Finder.exe

Once downloaded, execute the file and "Click to Find VX2.BetterInternet". Once complete, click "Make Log" and post back with the contents of the resulting logfile. This will establish whether there is anything relating to the suspected infection.

Regards,
M_M

Mere_Mortal, why would Look2Me post a HOSTS entries to block adware sites?

Well, either they're from Spybot, like you say, or it's no coincidence that these entries appear alongside countless cases of L2M, including past VX2 variants. Either way, there's no harm in checking.

Much malware will do something like this, it's probably a natural corporate behaviour, competition and all...money basically ;o) In other scenarios, some worms remove other worms.

Hello-
I will try the rootkit revealer and the vx2 finder after that.  I remember that a few weeks ago while researching problems someone was having with surfsidekick (what a horribly insidious program that is) I wound up at a site that attempted to install something but I ended the tasks before they could complete.  I don't remember what site or what it was installing, I just panicked and did what I had to in order to stop the processes from completing.  I then ran spybot and adaware and ewidos before I rebooted and then again after I rebooted in the hopes that they would catch something before it got too far.  Everything seemed to be OK until I noticed the redirection during searches.  Three redirects per page, it seems, then it will go where it should.

Doing a search on google for "chairs" - I clicked on the resulting "chairs.com" and was redirected to "theprivatecollector.com " (also a furniture site) then went back and clicked on "chairs.com" again and got redirected to "buyerzone.com" - the third time I clicked on "chairs.com" it took me to the correct site and every other link on the search page took me to the correct site.  Then I selected the second search page and it happened again - on the third attempt I was sent to the proper site.

I will report back the rootkit results as soon as I can.  Thanks again for all your help.

KAT

KAT, any update?

Sorry, it's been a crazy weekend.  I'll report back by Wednesday

Here's what I got from the rootkit revealer.  I'm going to try vx2finder right now.

HKLM\SYSTEM\ControlSet002\Services\d347prt\Cfg\0Jf40      10/28/2005 10:17 AM      0 bytes      Hidden from Windows API.
E:\Far Cry\Shaders\HWScripts\Declarations\CGVShaders\Cache\CGVProgIndoorWater_final$D3D9_VS11$Fog$CP$Proj#PosCommon.cgvp             2.04 KB      Hidden from Windows API.
E:\Far Cry\Shaders\HWScripts\Declarations\CGVShaders\Cache\CGVProgIndoorWater_final$D3D9_VS11$Fog$NoCP$Proj#PosCommon.cgvp             1.88 KB      Hidden from Windows API.
E:\Far Cry\Shaders\HWScripts\Declarations\CGVShaders\Cache\CGVProgNightVisionGlare$D3D9_VS11$Fog$CP#PosCommon.cgvp             1.72 KB      Hidden from Windows API.
E:\Far Cry\Shaders\HWScripts\Declarations\CGVShaders\Cache\CGVProgNightVisionGlare$D3D9_VS11$Fog$NoCP#PosCommon.cgvp             1.72 KB      Hidden from Windows API.
E:\Far Cry\Shaders\HWScripts\Declarations\CGVShaders\Cache\CGVProgOutdoorWaterRefraction$D3D9_VS11$Fog$CP$Proj#PosCommon.cgvp             2.12 KB      Hidden from Windows API.
E:\Far Cry\Shaders\HWScripts\Declarations\CGVShaders\Cache\CGVProgOutdoorWaterRefraction$D3D9_VS11$Fog$NoCP$Proj#PosCommon.cgvp             1.95 KB      Hidden from Windows API.

OK, here's what I got from VX2 finder:

Log for VX2.BetterInternet File Finder (ALL)

Files Found---
 
Additional Files---
 
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Any help there?  I hope so.  It's annoying and it only seems to happen on search page links.  3 clicks on any link(s) then I'm good to go (just for that page).  Sorry about being repetitious, but it's the "3 clicks" thing that just seems to me to be an indicator of the problem.  I only wish I knew what it was indicating!

Okay, so it seems the hosts do indeed have nothing to do with L2M. Just a coincidence.

As for RKR, nothing there either. And it helps a'plenty if nothing else is running in the background except the system processes ;) Or were you running FarCry when you did a scan? I guess you were at least running Daemon.

Delete this directory... C:\WINDOWS\System32\Services ...if it still exists.
Ensure there are no startups with this path in your HijackThis results.

Then check this page to be sure none of the said nasties exist...
http://www.webhelper4u.com/CWS/Research/screenimages/searchterrordesktop.html#Files%20and%20their%20directories

And here to check for possible bad Registry keys...
http://www.webhelper4u.com/CWS/Research/screenimages/searchterrordesktop.html#Registry%20Keys

See here before modifying the Registry... http://support.microsoft.com/kb/322756
If you start finding the said Registry entries and you need help with removing them, I can sort out a couple of scripts that'll sort it out.

Let us know how this goes :)

When you get redirected in Google, I am suspecting that the links in Google are redirecting you, not a Trojan in your computer.  Some websites have hijacked the links, and Google has to fix them.

Would you give an exact link in which you get redirected?  I am suspected I will be redirected also, which confirms my diagnosis above.

Hi-
War1: It's not just Google.  I went to MSN.com and searched for "bicycles".  I clicked on the result: "diamondback.com" and got sent to "ww2.exactsearch.com" twice before it lets me into diamondback.com

Here's what I posted earlier:
Doing a search on google for "chairs" - I clicked on the resulting "chairs.com" and was redirected to "theprivatecollector.com " (also a furniture site) then went back and clicked on "chairs.com" again and got redirected to "buyerzone.com" - the third time I clicked on "chairs.com" it took me to the correct site and every other link on the search page took me to the correct site.  Then I selected the second search page and it happened again - on the third attempt I was sent to the proper site.

I get redirected to sites RELATING to my search.  I've been redirected to Lycos, ebay, lots of places - none of them porn sites, all of them related to what I was searching for in the first place.

I have a hard time believing it's the search engines or you'd probably be hearing a lot more about it.

Hi-
MereMortal: I checked for the files and reg entries and found nothing that was listed.

I obviously don't know enough about it, but it just seems to me that the "3-click" aspect is a big clue.  Why THREE clicks then I can go?  Is there anything out there (spyware, adware) that does that kind of thing?  Three redirects and you're set to go?  Or maybe constant redirects but I only have a few settings of the original program so it's only 3?

I'm baffled and frustrated.  I've upped the point value of this question to 350 - any help is appreciated.

Thanks for your efforts.

Do you have any search toolbar that you have downloaded?  Disable all of them.  One of them is redirecting you.

War1: I have no search bars.  None have ever been installed on this machine.  Sorry.

Hi :)

Let's try something else...

Open either in Internet Explorer > Tools or via the Control Panel, enter the Internet Options. Choose the "Programs" tab and then "Manage Add-ons"...see if there's anything suspiciuos listed in there.

It's entries will also be listed in a Silent Runners log. You might post one of those as it may expose something that other scans have not...

http://www.silentrunners.org/index.html
http://www.silentrunners.org/Silent%20Runners.vbs

Regards,
M_M

By the way, have you ever considered a different web browser, such as Mozilla FireFox?

Under the programs tab in IE there is no "Manage Add-ons".  I'm using XP home edition.

While Firefix works OK, I'm not a big fan yet.  Besides, this is happening for a reason and I really should find out what it is.

Here's the slientrunners scan results: (There are at least two infection warnings and one hijack warning)

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Lexmark X73 Button Monitor" = "C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe" ["Silitek Corp."]
"Lexmark X73 Button Manager" = "C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe" ["Jetsoft Development Company"]
"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"Jet Detection" = ""C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"DAEMON Tools-1033" = ""E:\D-Tools\daemon.exe"  -lang 1033" ["DAEMON'S HOME"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"dmoff.exe" = "C:\WINDOWS\System32\dmoff.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
                                       \StubPath   = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}" = "ICCompPropPage"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Image Composer\SERVER.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{D0FAC080-AE1A-11ce-8016-CE90976DC901}" = "Picture Publisher File Viewer"
  -> {CLSID}\InProcServer32\(Default) = "ppiv30.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "Internet Shortcut" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "shdocvw.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csehg.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
DropStuff Context Menu\(Default) = "{2e336dc0-54f8-11d1-abd5-447270537466}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\StuffIt 7.0\DropStuff\ShellDS.dll" ["Aladdin Systems, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
DropStuff Context Menu\(Default) = "{2e336dc0-54f8-11d1-abd5-447270537466}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\StuffIt 7.0\DropStuff\ShellDS.dll" ["Aladdin Systems, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies [Description]:
-----------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Kurt Tilton\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" ["Sony DADC Austria AG."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 247 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 19 seconds.
---------- (total run time: 310 seconds)

Ah yes, my appologies...that's a Windows Service Pack 2 feature. Besides, the only two extensions are Java related.

This is most likely the problem...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"System" = "csehg.exe"

Go to http://virusscan.jotti.org/ and scan the file csehg.exe which will most likely be in the C:\WINDOWS or \System32 directory. Otherwise perform a search of the hard-drive.

Then, assuming it's a bad file which I'm sure it is, delete the key (Winlogon\Notify/System) by using the Registry Editor. Again, please ensure you are familiar with such procedures before using this console http://support.microsoft.com/kb/322756

And of course delete the file, using Unlocker or KillBox if necessary http://downloads.subratam.org/KillBox.exe

In the meantime, could you re-run HijackThis and check at the bottom of the list after scanning, for an O20 - Winlogon Notify?

Regards,
M_M

Oh, another thing...

If you did not want this set, you could change it via Regedit...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoBandCustomize"=dword:00000001

[disables toolbar status changes in Internet Explorer|View|Toolbars]

It may be something to do with eXactSearch, since they typically use a toolbar. By the way, does MarketBrowser mean anything to you?

Marketbrowser means nothing to me.
Hijack This showed nothing "020" winlogon notify
virusscan.jotti.org produced the following and I'm about to delete the key and the file:

File:  csehg.exe  
Status:  INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)  
MD5  b33053052b0136815ec324ba172a7713  
Packers detected:  -
Scanner results  
AntiVir  Found Trojan/Dldr.Xsvix  
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found Trojan.Downloader.FFZ  
ClamAV  Found nothing
Dr.Web  Found Trojan.DownLoader.4316  
F-Prot Antivirus  Found W32/Downloader.IYV  
Fortinet  Found W32/Dloader.FFZ-tr  
Kaspersky Anti-Virus  Found Trojan-Downloader.Win32.Agent.uj  
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found Trojan-Downloader.Win32.Agent.uj  

Alright, here's a good one for you:  The file csehg.exe showed up in the virusscan.jotti.org "browse" feature but I had to unlock it before I could scan it.  Before I unlocked it (in their "browse" feature) I looked in for it in explorer and it's not there.  I have "view hidden" turned on but it's not between the two files it should be between.  But since it was there on virusscan.jotti.org I unlocked it and did the scan and posted the above results.  Then when I went into regedit, the entry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
doesn't have anything "system"-related.

This key doesn't exist either:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
There is no "policies" under "current version"

How can I delete or change a key that doesn't exist?

I'm dyin' here...

Well, MarketBrowser is what I was looking for in the IE add-ons. It's probably not an issue then, but something is loading with IE.

Let us know how the file removal goes and whether it helps.

Also, do an online scan here...

http://www.kaspersky.com/downloads/kws/kavwebscan.html

Be sure to select from the settings, to perform an extended scan. Also scan all partitions and let us know what's found.

How peculiar. Almost seems like it's actively hiding, and that only SilentRunners can see it.

Open notepad and copy/paste in the following...

;----------------------------------
REGEDIT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"System"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoBandCustomize"=-
;----------------------------------

Close/save the document as type All Files and as anyfilename.REG then execute the script, confirming to merge with the Registry.

Use KillBox, if you haven't already, to delete the file on reboot.

Some third-party Registry editors may be able to view this key, whilst "Security Task Manager" may also expose the process http://www.neuber.com/taskmanager/

I'll try that again...

;----------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"System"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoBandCustomize"=-
;----------------------------------

OK, I added those keys to the registry.  I cannot delete csehg.exe because I cannot see it in explorer or killbox.  I will try to delete it in safemode after I do the kavweb scan.

Talk soon.

Just past the filepath into KillBox, if using the delete on next reboot option, it won't care whether or not the file actually exists.

Sorry, when I say filepath, use both of these and reboot after the second one...

C:\WINDOWS\csehg.exe
C:\WINDOWS\System32\csehg.exe

OK, after I used killbox I ran silentrunner again and it showed this instead:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csthw.exe" [null data]

A new file in place of the old csehg.exe

I was also wondering about this entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "Internet Shortcut" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "shdocvw.dll" [MS]

Is that one anything important?

Using security task manager I don't see anything I don't know about except for the one with the highest rating:
c:\windows\system32\dmnym.exe

Maybe that's something to do with the deamon?

Anyway, I'm going to run the kavwebscan now.  I'll report in later today.

Here's the kavscan results, any thoughts?

-------------------------------------------------------------------------------
 KASPERSKY ON-LINE SCANNER REPORT
 Friday, November 18, 2005 07:09:05
 Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
 Kaspersky On-line Scanner version: 5.0.67.0
 Kaspersky Anti-Virus database last update: 18/11/2005
 Kaspersky Anti-Virus database records: 160508
-------------------------------------------------------------------------------

Scan Settings:
      Scan using the following antivirus database: extended
      Scan Archives: true
      Scan Mail Bases: true

Scan Target - Folders:
      C:\

Scan Statistics:
      Total number of scanned objects: 78089
      Number of viruses found: 15
      Number of infected objects: 96
      Number of suspicious objects: 5
      Duration of the scan process: 5667 sec

Infected Object Name - Virus Name
C:\apptb\SHARWARE\ZIPPERS\PKZIP\PK263WSP.EXE/TSADBOT.EXE      Infected: not-a-virus:AdWare.Win32.TimeSink
C:\apptb\SHARWARE\ZIPPERS\PKZIP\PK263WSP.EXE      Infected: not-a-virus:AdWare.Win32.TimeSink
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RedSwoosh2.zip/RSInstaller.dll      Infected: not-a-virus:AdWare.Win32.RedSwoosh.a
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RedSwoosh2.zip      Infected: not-a-virus:AdWare.Win32.RedSwoosh.a
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TurboDownload2.zip/3.exe      Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TurboDownload2.zip/5.exe      Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TurboDownload2.zip/IEDRIVER.EXE      Infected: Trojan-Downloader.Win32.Turown.b
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TurboDownload2.zip/IEUPDATE.EXE      Infected: Trojan-Downloader.Win32.Turown.b
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TurboDownload2.zip/td.exe      Infected: Trojan-Downloader.Win32.Turown.c
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TurboDownload2.zip      Infected: Trojan-Downloader.Win32.Turown.c
C:\Documents and Settings\Kurt Tilton\Desktop\Performance and cleanup\keyfinder.exe/xpkey.exe      Infected: not-a-virus:PSWTool.Win32.RAS.a
C:\Documents and Settings\Kurt Tilton\Desktop\Performance and cleanup\keyfinder.exe/officekey.exe      Infected: not-a-virus:PSWTool.Win32.RAS.a
C:\Documents and Settings\Kurt Tilton\Desktop\Performance and cleanup\keyfinder.exe      Infected: not-a-virus:PSWTool.Win32.RAS.a
C:\Documents and Settings\Kurt Tilton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/iX-PCs/Virus/28 Apr 2002 19:01 from Francis:Birthplace .html      Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Kurt Tilton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/iX-PCs/Virus/29 Apr 2002 14:14 from kennethfink:Attachment sent with your mes.html      Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Kurt Tilton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/iX-PCs/Virus/30 Apr 2002 01:51 from kurt_meklenburg:Re:some questions.html      Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Kurt Tilton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/iX-PCs/Virus/30 Apr 2002 17:30 from RMILLER:A  good tool.html      Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Kurt Tilton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst      Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\007443EC.exe      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\007443EC.pif      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\007443EC.scr      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\00786DE9.scr      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\01357118.rar/rock.bat      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\01357118.rar      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\016C45F2      Infected: Backdoor.IRC.Ataka.d
C:\Program Files\Norton AntiVirus\Quarantine\019D30A5.bat      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\01A4049E/picacu.exe      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\01A4049E      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\01A72E9B      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\01AA5897/install.scr      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\01AA5897      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0219236C      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\025F301D      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\032E04C1      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0377789C      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\037A2299      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\04BD5F35      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\05A25A39      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\05A92E32      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\06076FCA      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\062B3DA3      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\06590970      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\06A7791A      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\071038A7      Infected: Virus.Win32.Elkern.c
C:\Program Files\Norton AntiVirus\Quarantine\071E151A      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\07200A95      Infected: Virus.Win32.Elkern.c
C:\Program Files\Norton AntiVirus\Quarantine\07305C83      Infected: Virus.Win32.Elkern.c
C:\Program Files\Norton AntiVirus\Quarantine\0744586D      Infected: Virus.Win32.Elkern.c
C:\Program Files\Norton AntiVirus\Quarantine\07542A5C      Infected: Virus.Win32.Elkern.c
C:\Program Files\Norton AntiVirus\Quarantine\0DF06C1C      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E2768D9      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E2B12D5      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E3166CE      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E3510CB      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E383AC7      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E3B64C3      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E3E0EC0      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E4238BC      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E4562B9      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E480CB5      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E4B36B1      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E4F60AE      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E693091      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0E6C5A8D      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0FBC7019      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\0FFB3E79      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\162C3A41/play.bat      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\162C3A41      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\191A3213      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\1980281B      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\1DE62302.pif      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\1DE62302.scr      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\20277B40      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\22393127      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\25106419      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\267E6B51      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\3D1A3637/demo.pif      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\3D1A3637      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\3D6626C2/demo.scr      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\3D6626C2      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\46711CBF      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\48270E1D      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\53525414      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\541D5589/setup.scr      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\541D5589      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\57C61B40      Infected: Backdoor.Win32.Freddy.2001
C:\Program Files\Norton AntiVirus\Quarantine\5C5E05DD      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\61E60A82      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\634876E4.exe      Infected: P2P-Worm.Win32.Banuris.a
C:\Program Files\Norton AntiVirus\Quarantine\63AE0102.scr      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\6564458E/snoopy.bat      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\6564458E      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\6C510FF9/setup.pif      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\6C510FF9      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\6DAB4983      Infected: Trojan-Dropper.VBS.Delud
C:\Program Files\Norton AntiVirus\Quarantine\717F7D4C      Infected: Trojan-Dropper.VBS.Delud
C:\Program Files\Norton AntiVirus\Quarantine\76CF741F      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\779E48C3/rock.pif      Infected: Email-Worm.Win32.Klez.h
C:\Program Files\Norton AntiVirus\Quarantine\779E48C3      Infected: Email-Worm.Win32.Klez.h
C:\SIERRA\Half-Life\hltv.exe      Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\WINDOWS\system32\first.awp      Infected: not-a-virus:AdWare.Win32.InstallDollar.c

Scan process completed.

Yeh, that explains a lot. Half of it you could purge out of your quarantine vaults, some you might get rid of by removing dubious directories, and I  include anything of P2P networking also. I say that because you've picked up a mass-mailer and that's probably left you with other stuff, at the least something has hit you pretty hard.

This is a good time for Kaspersky's trial anti-virus, I think it's good for 30-days. Very useful when it's needed, such a shame it's only a testomonial.

Personal - http://www.kaspersky.com/productupdates?chapter=146244099
PersonalPro - http://www.kaspersky.com/productupdates?chapter=146244102

At least that will remove what it can, unlike the online scan, and it seems to be finding things. The question is whether it'll remove what's loaded into memory, like that WinLogon hijack for instance.

See how its installation and scanning goes for you, and in the meantime also, if you don't have an XP Setup Disk, I recommend aquiring one because there's always a possibility of system files being missing or corrupt.

Regards,
M_M

Another thing...it might be worth checking the contents of BOOT.INI which is in the root directory (C:\).

I'm going to take a closer look at that KAV log, we just don't know if it's really finding everything.

Another idea...go to Start > Run > and enter MSCONFIG

Under Services and Startup...check for and disable anything suspicious (you can always reverse any errors with these options)

Under Boot.INI...check the box "/BOOTLOG"

Exit MSCONFIG and concur with the prompt. After reboot, locate the file C:\WINDOWS\ntbtlog.txt. This is a list of drivers and other system processes that were run to load the operating system, but there is the possibility (I think) of something bad showing up in such a logfile. I do not recommend taking any action on its contents. If you are however comfortable with digging deep, IceSword might be of use, which is not unlike many other programs that display running tasks, DLLs, registries, etc.

http://xfocus.net/tools/200509/IceSword_en1.12.rar
http://www.rarlab.com/rar/wrar351.exe

As for the Bootlog, it could be useful at some point, so you might send that to a spare floppy disk.

Sorry, I'm probably confusing you with all these posts.

Before installing KAV, ensure you disable or uninstall your current anti-virus software (the latter might be a consideration since it has evidently done very little to protect you).

A good idea would be using Total Unisntall...

http://www.martau.com/tu_download.php

...which will firstly take a snapshot of the system, then after installing something, a further snapshot will compare the two points. TU can then be used, preferably AFTER using the actual uninstaller first, to remove all recorded changes.

This is useful in this scenario so as to avoid any possible conflicts between the AVs.

Sorry it's been so long - things have been hectic.  I'm considering just saying "to hell with it" since Firefox works fine and the problem is apparently so embedded.

MM: I will award the points to you on Thursday, Dec 1.  Thank you for all your help and your time, you were very clear and helpful and diligent even though the problem is still there.

Thanks again.